Galois field computation

ABSTRACT

A method and device for computing the multiplicative inverse of element x in Galois field GF(p 2m ) is proposed. In particular, when p is a prime number and m is an integer, the inverse may be constructed based on the observation that x p     m     +1  is en element in sub-field GF(p m ) and the inverse of x p     m     +1  can be carried out in the sub-field. The inverse of X may be obtained by multiplying x −1 =(x p     m     +1 ) −1  by x p     m   .

FIELD

The present invention relates to Galois field computations, and to methods and devices for the computation of the inversions of Galois field elements.

BACKGROUND

A Galois field GF(n) is a set of elements that allows binary operations, such as addition and multiplication operations. Computations of Galois field elements are frequently seen in communication systems and encryption standards, such as encryption standards for wireless applications. For example, Wireless Local Area Networks (WLAN) may rely on the use of encryptions to ensure security of data transmitted wirelessly. One of the WLAN standard, IEEE 802.11i, incorporates Advanced Encryption Standard (AES) by the National Institute of Standards and Technology (NIST), and the AES is based on Rijndael Block Cipher. In implementing the AES, Galois field is used for various computations, which may consume a majority of hardware resources. In particular, computations of inversions in Galois field, such as GF(2⁸), is one of the primary factors in consuming hardware resources.

Conventional implementation uses a look-up table to store the multiplicative inverses for all 255 nonzero elements in GF(2⁸). This approach is straightforward and has little latency, but requires a lot of logic gates, hence, a larger area in ASIC and higher power consumption. A well-known approach is to use the Extended Euclidean Algorithm (EEA). For example, assuming the field GF(2⁸) is constituted by some irreducible polynomial f(x) of degree eight. By the irreducibility of f(x), every nonzero element in GF(2⁸), when represented in its polynomial form, such as p(x)-, is co-prime to f(x). That is, the greatest common divisor between f(x) and p(x) is one.

The EEA can then be used to find two polynomials q(x) and r(x) so that p(x) q(x)+f(x) r(x)=1. Conducing modulo-reduction on both sides by f(x), one may obtain p(x) q(x)=1 mod(f(x)), and hence, q(x) is exactly the multiplicative inverse of p(x) in GF(2⁸). Generally, to find multiplicative inverse in GF(2^(m)), the EEA requires 2m time steps and has an area complexity of O(m). This method requires less hardware, but may suffer from larger latency, which will not be suitable for a high-throughput system, such as a WLAN system.

An alternate approach includes performing the required computations in the sub-field to reduce hardware complexity. Observing that the field GF(2⁴) is a sub-field of GF(2⁸), GF(2⁸) can be constructed by using some primitive polynomial g(x)=x²+x+λ for some λ in GF(2⁴). In this approach, all computations are done in the sub-field GF(2⁴). To compute inv(x), the above algorithm requires 4 multiplications and one multiplicative inversion in GF(16). Due to the complexity of the traditional techniques, there is a need for a technique for computing Galois field inversions that may bring simplicity in computation of hardware and software implementations.

SUMMARY

An aspect of the invention includes a data encryption method. The encryption method comprises the computation of the inverse of an element x in Galois field GF(p^(2m)), wherein p is a prime number and m is an integer. In one embodiment, the computation of the inverse comprises: computing x^(p) ^(m) ⁺¹; computing an inverse for x^(p) ^(m) ⁺¹ in GF(p^(m)), (x^(p) ^(m) ⁺¹)⁻¹; computing x^(p) ^(m) ; and multiplying (x^(p) ^(m) ⁺¹)⁻¹ by x^(p) ^(m) , to obtain the inverse of the element x, x⁻¹.

Another aspect of the invention includes a data encryption device that is configured to compute at least an inverse of an element x in Galois field GF(p^(2m)), wherein p is a prime number and m is an integer. The device comprises: a first group of logic gates being configured to compute x^(p) ^(m) ⁺¹; a second group of logic gates being configured to compute an inverse for x^(p) ^(m) ⁺¹ in GF(p^(m)), (x^(p) ^(m) ⁺¹)⁻¹; a third group of logic gates being configured to compute x^(p) ^(m) ; and a fourth group of logic gates being configured to multiply (x^(p) ^(m) ⁺¹)⁻¹ by x^(p) ^(m) , to obtain the inverse of the element x, x⁻¹.

Another aspect of the invention includes a method of computing an inverse of an element x in Galois field GF(p^(2m)), wherein p is a prime number and m is an integer. In one embodiment, the method comprises: computing x^(p) ^(m) ⁺¹; computing an inverse for x^(p) ^(m) ⁺¹ in GF(p^(m)), (x^(p) ^(m) ⁺¹)⁻¹; computing x^(p) ^(m) ; and multiplying (x^(p) ^(m) ⁺¹)⁻¹ by x^(p) ^(m) , to obtain the inverse of the element x, x⁻¹.

DESCRIPTION OF THE DRAWING

FIG. 1 is a schematic block diagram illustrating a device for computing the inversion in GF(256) in embodiments consistent with the present invention.

DETAILED DESCRIPTION OF THE INVENTION

The present invention relates to Galois field computations, including the computation of the inversions of Galois field elements, such as those computations applicable to wireless local area network security applications. Embodiments consistent with the invention may provide techniques for computing the inversion of an element in Galois field that may bring simplicity, efficiency, or both, in hardware or software implementations. Furthermore, embodiments consistent with the invention may allow circuit size reduction, including substantial chip area reduction, in hardware implementations, thereby allowing and benefiting applications such as WLAN security applications.

To illustrate the computation in embodiments consistent with the invention, we may use the computation in GF(256) as an example. To find the multiplicative inverse in GF(256), we first look at the properties of GF(256) for any nonzero element x in GF(256), x⁽²⁵⁶⁻¹⁾=1. And for any element x in GF(256), x¹⁷ is in GF(16), a sub-field of GF(256), since for all nonzero elements, (x¹⁷)⁽¹⁶⁻¹⁾=1. Therefore, we may derive the following equation: Inverse_(GF(256))(x)=x ¹⁶ x ⁻¹⁷ =x ¹⁶·Inverse_(GF16)(x ¹⁷).

The inversion of GF(256) can be greatly simplified by using the above observation, which may be broken down into several steps of:

compute x¹⁷;

compute (x¹⁷)⁻¹;

compute x¹⁶; and

multiplication of x¹⁶ and (x¹⁷)⁻¹.

Each of these steps can also be systematically constructed using AND and XOR gates. FIG. 1 is a schematic block diagram for the inversion of GF(256) according to an embodiment of the present invention. In FIG. 1, X is an element in GF(256) represented by 8-tuple (a7, a6, a5, a4, a3, a2, a1, a0). Block 20 takes X as input and produces as an output X¹⁶, in an 8-tuple form as (b7, b6, b5, b4, b3, b2, b1, b0). For example, block 20 raises X to 16-th power, which only involves linear operation, so only XOR gates are needed. In one example, one can generate an alternative design using CAD tools by providing the input-output relation in equation or truth-table formats. Examples of details are explained in below. For example: b ₀ =a ₀ +a ₄ +a ₅ +a ₆ b ₁ =a ₁ b ₂ =a ₁ +a ₂ +a ₄ +a ₆ +a ₇ b ₃ =a ₁ +a ₃ +a ₄ +a ₆ +a ₇ b ₄ =a ₁ +a ₅ +a ₆ b ₅ =a ₂ +a ₃ +a ₇ b ₆ =a ₁ +a ₂ +a ₃ +a ₄ +a ₇ b ₇ =a ₂ +a ₃ +a ₅

Block 40 takes X and produced X¹⁷, in another 8-tuple (c7, c6, c5, c4, c3, c2, c1, c0). Inverter 60 inverts X¹⁷ to X⁻¹⁷ in 8-tuple (d7, d6, d5, d4, d3, d2, d1, d0). Multiplier 80 multiplies X¹⁶ by X⁻¹⁷ to obtain X⁻, as (e7, e6, e5, e4, e3, e2, e1, e0). The following paragraphs will illustrate the operations with further detail.

We may use an irreducible polynomial x⁸+x⁴+x³+x¹+1 for the construction of GF(256). All elements of GF(256) can then be represented as 8-tuple (a₇a₆a₅a₄a₃a₂a₁a₀), which may be equivalently represented by the residual polynomial ₇x⁷+a₆x⁶+a₅x⁵+a₄x⁴+a₃x³+a₂x²+a₁x+a₀, where a_(i)=0 or 1. In addition GF(256) is computed by adding polynomials, with each coefficient modulo 2, which is equivalent to bit-wise XOR's using an 8-tuple representation. Multiplication in GF(256) is computed by multiplying the polynomials-, with each coefficient modulo 2, and the resulting polynomial modulo is the irreducible polynomial x⁸+x⁴+x³+x¹+1.

It can be shown that element α=x+1 (denoted the coefficient is in descending order as binary number b′00000011) is a primitive element in GF(256). For all discussions below, we will use α¹⁷=(b′00000011)¹⁷=b′11100001 as a primitive element in GF(16).

And the 16 elements of GF(16) are:

00000000

-   -   11100001 (=α¹⁷)     -   01011100 (=(α¹⁷)₂)     -   00001100 (=(α¹⁷)³)     -   11100000 (=(α¹⁷)⁴)     -   10111101 (=(α¹⁷)⁵)     -   01010000 (=(α¹⁷)⁶)     -   11101100 (=(α¹⁷)⁷)     -   01011101 (=(α¹⁷)⁸)     -   11101101 (=(α¹⁷)⁹)     -   10111100 (=(α¹⁷)¹⁰)     -   10110001 (=(α¹⁷)¹¹)     -   10110000 (=(α¹⁷)¹²)     -   01010001 (=(α¹⁷)¹³)     -   00001101 (=(α¹⁷)¹⁴)     -   00000001 (=(α¹⁷)¹⁵)

Note these are in the representation of GF(256).

And we can find the four basis elements for GF(16) as follows:

-   -   00000001     -   00001100     -   01010000     -   11100000

Or, equivalently, one can represent the four basis elements in polynomial form as follows:

-   -   1     -   x³+x²     -   x⁶+x⁴     -   x⁷+x⁶+x⁵

All 16 elements in GF(16) can be represented by linear combination of the above basis. And the linear combination can be respectively extracted by bits 1, 3, 5, 6, with the right-most bit as the first bit. For example: 10110001=1·(00000001)+0·(00001100)+1·(01010000)+1·(11100000)

In the above example, the first basis element is multiplied by 1 (since the 1st bit for 01010001 is 1), the second basis element is multiplied by 0 (since the 3rd bit for 01010001 is 0), the third basis element is multiplied by 1 (since the 5th bit for 01010001 is 1), and the fourth basis element is multiplied by 1 (since the 6th bit for 01010001 is 1). ${{{Since}\left( {\sum\limits_{i = 0}^{7}{a_{i}x^{i}}} \right)}^{2} = {\sum\limits_{i = 0}^{7}{a_{i}x^{2i}{{mod}\left( {x^{8} + x^{4} + x^{3} + x^{1} + 1} \right)}}}},$ raising to the 2's power in GF(2⁸) is always a linear operation, computing x¹⁶ can be implemented with only XOR gates. Specifically, if x=(a₇a₆a₅a₄a₃a₂a₁a₀), and x¹⁶=(b₇b₆b₅b₄b₃b₂b₁b₀), one may derive the following relationships: b ₀ =a ₀ +a ₄ +a ₅ +a ₆ b ₁ =a ₁ b ₂ =a ₁ +a ₂ +a ₄ +a ₆ +a ₇ b ₃ =a ₁ +a ₃ +a ₄ +a ₆ +a ₇ b ₄ =a ₁ +a ₅ +a ₆ b ₅ =a ₂ +a ₃ +a ₇ b ₆ =a ₁ +a ₂ +a ₃ +a ₄ +a ₇ b ₇ =a ₂ +a ₃ +a ₅

Since x¹⁷=x¹⁶x, computing x¹⁷ is a quadratic function. If ${x^{17} = {{\left( {c_{7}c_{6}c_{5}c_{4}c_{3}c_{2}c_{1}c_{0}} \right)\left( {\sum\limits_{i = 0}^{7}{c_{i}x^{i}}} \right)} = {\left( {\sum\limits_{i = 0}^{7}{a_{i}x^{i}}} \right)\left( {\sum\limits_{i = 0}^{7}{b_{i}x^{i}}} \right)\quad{{mod}\left( {x^{8} + x^{4} + x^{3} + x^{1} + 1} \right)}}}},$

then, c; will be in the form of: c _(i) =Σa _(j) b _(l), for i=0, 1, 2, . . . , 7.

As a result, b_(i)'s are linear functions in a_(j)'s, and f(x)=x¹⁷ can be implemented using two-input AND gates to generate some intermediate functions, and XOR gates to generate the final (x¹⁷) function. Furthermore, because x¹⁷ is in GF(16), only c₀, c₂, c₄, c₅ need to be calculated. Since a_(i) is either 0 or 1, a_(i)=a_(i). A two-input AND function with the two identical inputs becomes an “identity” function with one input. In addition to the eight “identity” functions, one can easily find that there are only a total of 28 non-trivial “two-input” AND functions as follows: f₁=a₁a₀ f₂=a₂a₀ f₃=a₂a₁ f₄=a₃a₀ f₅=a₃a₁ f₆=a₃a₂ f₇=a₄a₀ f₈=a₄a₁ f₉=a₄a₂ f₁₀=a₄a₃ f₁₁=a₅a₀ f₁₂=a₅a₁ f₁₃=a₅a₂ f₁₄=a₅a₃ f₁₅=a₅a₄ f₁₆=a₆a₀ f₁₇=a₆a₁ f₁₈=a₆a₂ f₁₉=a₆a₃ f₂₀=a₆a₄ f₂₁=a₆a₅ f₂₂=a₇a₀ f₂₃=a₇a₁ f₂₄=a₇a₂ f₂₅=a₇a₃ f₂₆=a₇a₄ f₂₇=a₇a₅ f₂₈=a₇a₆

And one can derive the following expressions for c0, c2, c4 and c5. c ₀ =a ₀ +a ₂ +a ₃ +a ₅ +a ₆ +f ₅ +f ₇ +f ₈ +f ₉ +f ₁₁ +f ₁₃ +f ₁₆ f ₁₈ +f ₂₀ +f ₂₄ +f ₂₅ +f ₂₆ +f ₂₇ c ₂ =a ₁ +a ₂ +a ₄ +a ₅ +a ₇ +f ₁ +f ₅ +f ₆ +f ₇ +f ₈ +f ₉ +f ₁₀ +f ₁₂ +f ₁₃ +f ₁₆ +f ₂₀ +f ₂₁ +f ₂₂ +f ₂₃ +f ₂₅ +f ₂₆ +f ₂₇ +f ₂₈ c ₄ =a ₁ +a ₂ +a ₄ +a ₅ +a ₇ +f ₁ +f ₃ +f ₇ +f ₁₀ +f ₁₁ +f ₁₅ +f ₁₆ +f ₁₇ +f ₁₈ +f ₂₅ +f ₂₈ c₅ =a ₁ +a ₂ +a ₄ +a ₅ +a ₇ +f ₂ +f ₃ +f ₄ +f ₆ +f ₉ +f ₁₁ +f ₁₃ +f ₁₄ +f ₁₅ +f ₁₉ +f ₂₁ +f ₂₂ +f ₂₄ +f ₂₇

In this example, f₇, f₁₆ and f₂₅ contribute to all three output bits: c₀,c₂, and c₄. Furthermore, optimization can be performed using the CAD (Computer Aided Design) tools to minimize the number of gates and/or delay for each block.

As for the inversion in GF(16) block, each of its 4 output bits is not a quadratic function of the 4 input bits. If the 4-bit representation of x⁻¹⁷=(d₅d₄d₂d₀) and x¹⁷=(c₅c₄c₂c₀), then the inversion may be defined with the following table: Input(c₅c₄c₂c₀) Output (d₅d₄d₂d₀) 0001 0 0 0 1 0010 1 1 0 0 0011 0 1 0 0 0100 1 0 1 1 0101 1 1 0 0 0110 0 0 1 0 0111 0 1 1 0 1000 1 1 0 1 1001 1 1 1 1 1010 0 1 1 0 1011 1 0 0 1 1100 0 1 0 0 1101 1 0 0 0 1110 0 1 0 1 1111 1 1 0 1

Because it's a 4-bit-IN, 4-bit-OUT look-up table, computer-aided-design (CAD) tools may be used to design the circuit and optimize the circuit size or delay by specifying the input or output truth table.

For the x¹⁶ times x⁻¹⁷, one may need to first convert the 4-bit representation in GF(16) for x⁻¹⁷ to its equivalent 8-bit representation in GF(256). This may be a linear operation as explained below. In the 4-bit representation of x⁻¹⁷=(d₅d₄d₂d₀), the four basis elements for GF(16) are:

-   -   00000001 (or equivalently, 1, in its polynomial form)     -   00001100 (or equivalently, x³+x², in its polynomial form)     -   01010000 (or equivalently, x⁶+x⁴, in its polynomial form)     -   11100000 (or equivalently, x⁷+x⁶+x⁵, in its polynomial form)

The polynomial representation for x⁻¹⁷ is: d ₅ x ⁷+(d ₅ +d ₄)x ⁶ +d ₅ x ⁵ +d ₄ x ⁴ +d ₂ x ³ +d ₂ x ² +d ₀ x ⁰

The multiplication of x⁻¹⁷ by x¹⁶, with x⁻¹⁶=(b₇b₆b₅b₄b₃b₂b₁b₀), may be represented as: $\left( {\sum\limits_{i = 0}^{7}{e_{i}x^{i}}} \right) = {\left( {{d_{5}x^{7}} + {\left( {d_{5} + d_{4}} \right)x^{6}} + {d_{5}x^{5}} + {d_{4}x^{4}} + {d_{2}x^{3}} + {d_{2}x^{2}} + {d_{0}x^{0}}} \right){\left( {\sum\limits_{i = 0}^{7}{b_{i}x^{i}}} \right) \cdot {{mod}\left( {x^{8} + x^{4} + x^{3} + x^{1} + 1} \right)}}}$

The coefficients e_(i), where i=0, 1, . . . 7, are quadratic functions of b_(i) and d_(i). Therefore, e ₀ =d ₀ b ₀ +d ₂ b ₅ +d ₂ b ₆ +d ₄ b ₂ d ₄ b ₄ +d ₄ b ₆ +d ₄ b ₇ +d ₅ b ₁ +d ₅ +b ₂ +d ₅ b ₃ +d ₅ b ₅ e ₁ =d ₀ b ₁ +d ₂ b ₅ +d ₂ b ₇ +d ₄ b ₂ +d ₄ b ₃ +d ₄ b ₄ +d ₄ b ₅ +d ₄ b ₆ +d ₅ b ₁ +d ₅ b ₄ +d ₅ b ₅ +d ₅ b ₆ e ₂ =d ₀ b ₂ +d ₂ b ₀ +d ₂ b ₆ +d ₄ b ₃ +d ₄ b ₄ +d ₄ b ₅ +d ₄ b ₆ +d ₄ b ₇ +d ₅ b ₂ +d ₅ b ₅ +d ₅ b ₆ +d ₅ b ₇ e ₃ =d ₀ b ₃ +d ₂ b ₀ +d ₂ b ₁ +d ₂ b ₅ +d ₂ b ₆ +d ₂ b ₇ +d ₄ b ₂ +d ₄ b ₅ +d ₅ b ₁ +d ₅ b ₂ +d ₅ b ₅ +d ₅ +b ₆ +d ₅ b ₇ e ₄ =d ₀ b ₄ +d ₂ b ₁ +d ₂ b ₂ +d ₂ b ₅ +d ₂ b ₇ +d ₄ b ₀ +d ₄ b ₂ +d ₄ b ₃ +d ₄ b ₄ +d ₄ b ₇ +d ₅ b ₁ +d ₅ b ₅ +d ₅ b ₆ +d ₅ b ₇ e ₅ =d ₀ b ₅ +d ₂ b ₂ +d ₂ b ₃ +d ₂ b ₆ +d ₄ b ₁ +d ₄ b ₃ +d ₄ b ₄ +d ₄ b ₅ +d ₅ b ₀ +d ₅ b ₂ +d ₅ b ₆ +d ₅ b ₇ e ₆ =d ₀ b ₆ +d ₂ b ₃ +d ₂ b ₄ +d ₂ b ₇ +d ₄ b ₀ +d ₄ b ₂ +d ₄ b ₄ +d ₄ b ₅ +d ₄ b ₆ +d ₅ b ₀ +d ₅ b ₁ +d ₅ b ₃ +d ₅ b ₇ e ₇ =d ₀ b ₇ +d ₂ b ₄ +d ₂ b ₅ +d ₄ b ₁ +d ₄ b ₃ +d ₄ b ₅ +d ₄ b ₆ +d ₄ b ₇ +d ₅ b ₀ +d ₅ b ₁ +d ₅ b ₂ +d ₅ b ₄

For the circuit design, the computer-aided-design (CAD) tool may be used to optimize the design.

From the above discussion, the benefit of the invention may be achieved by breaking down the 8-bit -to -8-bit inverse function in GF(256) into several blocks, such as the blocks illustrated in FIG. 2. Using the linear property of the x¹⁶ function, the quadratic property of the x¹⁷ function, and the 4-bit-to-4bit operation in the reduced field (GF(16). For example, using 0.18 μm process, the proposed implementation has a size of 494 ASIC gates in one embodiment, comparing with 713 ASIC gates with a table look-up implementation. In one embodiment, one ASIC gate is about 10 μm² in area. Therefore, some embodiments consistent with the invention may provide a size reduction of 30%.

The multiplicative inversion in GF(256) noted above may be generalized to the design for multiplicative inversion for any GF(p^(2m)), where p is a prime. For design purposes, raising to the p^(m)-th power in GF(p^(2m)) may be a linear operation on the (2m)-tuple representation of the element. Raising to the (p^(m)+1)-th power may also be implemented as a quadratic function. The field GF(p^(m)) is a subfield of GF(p^(2m)) as m divides 2m. These properties can be used to break down and simplify the design in computing the multiplicative inverse for any nonzero element in GF(p^(2m)). We now describe the procedure in details below.

For any element x in GF(p^(2m)), x^(p) ⁺¹ is an element in the sub-field GF(p^(m)) since (x^((p) ^(m) ⁺¹⁾)^((p) ^(m) ⁻¹⁾=x^(p) ² ^(m−1)=1. The computation of multiplicative inverse in GF(p^(2m)) can be broken down to the following 4 steps:

compute x^(p) ^(m) ⁺¹, which is a quadratic function,

compute the inverse for x^(p) ^(m) ⁺¹ in GF(p^(m)), (x^(p) ^(m) ⁺¹)⁻¹,

compute x^(p) ^(m) , which is a linear operation in GF(p^(2m)), and

multiply (x^(p) ^(m) ⁺¹)⁻¹ by x^(p) ^(m) , which is a quadratic function.

The foregoing disclosure of the preferred embodiments of the present invention has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise forms disclosed.

Many variations and modifications of the embodiments described herein will be apparent to one of ordinary skill in the art in light of the above disclosure. The scope of the invention is to be defined only by the claims appended hereto, and by their equivalents.

Further, in describing representative embodiments of the present invention, the specification may have presented the method or process consistent with the present invention as a particular sequence of steps. However, to the extent that the method or process does not rely on the particular order of steps set forth herein, the method or process should not be limited to the particular sequence of steps described. 

1. A data encryption method comprising: computing an inverse of an element x in Galois filed GF(p^(2m)), wherein p is a prime number and m is an integer, a computation of the inverse comprising: computing x^(p) ^(m) ⁺¹; computing an inverse for x^(p) ^(m) ⁺¹ in GF(p^(m)), (x^(p) ^(m) ⁺¹)⁻¹; computing x^(p) ^(m) ; and multiplying (x^(p) ^(m) ⁺¹)⁻¹ by x^(p) ^(m) , to obtain the inverse of the element x, x⁻¹.
 2. The method of claim 1, wherein the computation of the inverse of the element x is conducted by a combination of logic gates.
 3. The method of claim 1, wherein the computation of the inverse of the element x is conducted by a group of logic gates consisting of a combination of AND gates and XOR gates.
 4. The method of claim 1, wherein p=2 and m=4, and the encryption method adapts GF(256) computations.
 5. The method of claim 1, wherein computing x^(p) ^(m) ⁺¹, when p=2 and m=4, comprises computing a 4-tuple representation of x¹⁷, (c₅c₄c₂c₀), in terms an 8-tuple representation of X, (a₇a₆a₅a₄a₃a₂a₁a₀).
 6. The method of claim 5, wherein computing the 4-tuple representation of x¹⁷ comprises conducting computations of: c ₀ =a ₀ +a ₂ +a ₃ +a ₅ +a ₆ +f ₅ +f ₇ +f ₈ +f ₉ +f ₁₁ +f ₁₃ +f ₁₆ f ₁₈ +f ₂₀ +f ₂₄ +f ₂₅ +f ₂₆ +f ₂₇; c ₂ =a ₁ +a ₂ +a ₄ +a ₅ +a ₇ +f ₁ +f ₅ +f ₆ +f ₇ +f ₈ +f ₉ +f ₁₀ +f ₁₂ +f ₁₃ +f ₁₆ +f ₂₀ +f ₂₁ +f ₂₂ +f ₂₃ +f ₂₅ +f ₂₆ +f ₂₇ +f ₂₈; c ₄ =a ₁ +a ₂ +a ₄ +a ₅ +a ₇ +f ₁ +f ₃ +f ₇ +f ₁₀ +f ₁₁ +f ₁₅ +f ₁₆ +f ₁₇ +f ₁₈ +f ₂₅ +f ₂₈; and c₅ =a ₁ +a ₂ +a ₄ +a ₅ +a ₇ +f ₂ +f ₃ +f ₄ +f ₆ +f ₉ +f ₁₁ +f ₁₃ +f ₁₄ +f ₁₅ +f ₁₉ +f ₂₁ +f ₂₂ +f ₂₄ +f ₂₇, wherein f₁=a₁a₀; f₂=a₂a₀; f₃=a₂a₁; f₄=a₃a₀; f₅=a₃a₁; f₆=a₃a₂; f₇=a₄a₀; f₈=a₄a₁; f₉=a₄a₂; f₁₀=a₄a₃; f₁₁=a₅a₀; f₁₂=a₅a₁; f₁₃=a₅a₂; f₁₄=a₅a₃; f₁₅=a₅a₄; f₁₆=a₆a₀; f₁₇=a₆a₁; f₁₈=a₆a₂; f₁₉=a₆a₃; f₂₀=a₆a₄; f₂₁=a₆a₅; f₂₂=a₇a₀; f₂₃=a₇a₁; f₂₄=a₇a₂; f₂₅=a₇a₃; f₂₆=a₇a₄; f₂₇=a₇a₅; and f₂₈=a₇a₆.
 7. The method of claim 1, wherein computing the inverse for x^(p) ^(m) ⁺¹ in GF(p^(m)), (x^(p) ^(m) ⁺¹)⁻¹, when p=2 and m=4, comprises computing a 4-tuple representation of (x¹⁷)⁻¹, (d₅d₄d₂d₀), in terms a 4-tuple representation of x¹⁷, (c₅c₄c₂c₀).
 8. The method of claim 7, wherein computing the 4-tuple representation of (x¹⁷)⁻¹ comprises computing based on a look-up table of: Input(c₅c₄c₂c₀) Output (d₅d₄d₂d₀) 0001 0 0 0 1 0010 1 1 0 0 0011 0 1 0 0 0100 1 0 1 1 0101 1 1 0 0 0110 0 0 1 0 0111 0 1 1 0 1000 1 1 0 1 1001 1 1 1 1 1010 0 1 1 0 1011 1 0 0 1 1100 0 1 0 0 1101 1 0 0 0 1110 0 1 0 1 1111 1 1 0 1


9. The method of claim 1, wherein computing x^(p) ^(m) , when p=2 and m=4, comprises computing an 8-tuple rex ¹⁶, (b₇b₆b₅b₄b₃b₂b₁b₀), in terms an 8-tuple representation of x, (a₇a₆a₅a₄a₃a₂a₁a₀).
 10. The method of claim 9, wherein computing the 8-tuple representation of x¹⁶, comprises conducting computations of: b ₀ =a ₀ +a ₄ +a ₅ +a ₆; b ₁ =a ₁; b ₂ =a ₁ +a ₂ +a ₄ +a ₆ +a ₇; b ₃ =a ₁ +a ₃ +a ₄ +a ₆ +a ₇; b ₄ =a ₁ +a ₅ +a ₆; b ₅ =a ₂ +a ₃ +a ₇; b ₆ =a ₁ +a ₂ +a ₃ +a ₄ +a ₇; and b ₇ =a ₂ +a ₃ +a ₅.
 11. The method of claim 1, wherein multiplying (x^(p) ^(m) ⁺¹)⁻¹ by x^(p) ^(m) , when p=2 and m=4, comprises: computing an 8-tuple representation of x⁻¹, (e₇e₆e₅e₄e₃e₂e₁e₀), in terms an 8-tuple representation of 8-tuple representation of x¹⁶, (b₇b₆b₅b₄b₃b₂b₁b₀) and an 4-tuple representation of (x¹⁷)⁻¹, (d₅d₄d₂d₀).
 12. The method of claim 11, wherein computing the 8-tuple representation of x⁻¹ comprises conducting computations of: e ₀ =d ₀ b ₀ +d ₂ b ₅ +d ₂ b ₆ +d ₄ b ₂ d ₄ b ₄ +d ₄ b ₆ +d ₄ b ₇ +d ₅ b ₁ +d ₅ +b ₂ +d ₅ b ₃ +d ₅ b ₅; e ₁ =d ₀ b ₁ +d ₂ b ₅ +d ₂ b ₇ +d ₄ b ₂ +d ₄ b ₃ +d ₄ b ₄ +d ₄ b ₅ +d ₄ b ₆ +d ₅ b ₁ +d ₅ b ₄ +d ₅ b ₅ +d ₅ b ₆; e ₂ =d ₀ b ₂ +d ₂ b ₀ +d ₂ b ₆ +d ₄ b ₃ +d ₄ b ₄ +d ₄ b ₅ +d ₄ b ₆ +d ₄ b ₇ +d ₅ b ₂ +d ₅ b ₅ +d ₅ b ₆ +d ₅ b ₇; e ₃ =d ₀ b ₃ +d ₂ b ₀ +d ₂ b ₁ +d ₂ b ₅ +d ₂ b ₆ +d ₂ b ₇ +d ₄ b ₂ +d ₄ b ₅ +d ₅ b ₁ +d ₅ b ₂ +d ₅ b ₅ +d ₅ +b ₆ +d ₅ b ₇; e ₄ =d ₀ b ₄ +d ₂ b ₁ +d ₂ b ₂ +d ₂ b ₅ +d ₂ b ₇ +d ₄ b ₀ +d ₄ b ₂ +d ₄ b ₃ +d ₄ b ₄ +d ₄ b ₇ +d ₅ b ₁ +d ₅ b ₅ +d ₅ b ₆ +d ₅ b ₇; e ₅ =d ₀ b ₅ +d ₂ b ₂ +d ₂ b ₃ +d ₂ b ₆ +d ₄ b ₁ +d ₄ b ₃ +d ₄ b ₄ +d ₄ b ₅ +d ₅ b ₀ +d ₅ b ₂ +d ₅ b ₆ +d ₅ b ₇; e ₆ =d ₀ b ₆ +d ₂ b ₃ +d ₂ b ₄ +d ₂ b ₇ +d ₄ b ₀ +d ₄ b ₂ +d ₄ b ₄ +d ₄ b ₅ +d ₄ b ₆ +d ₅ b ₀ +d ₅ b ₁ +d ₅ b ₃ +d ₅ b ₇; and e ₇ =d ₀ b ₇ +d ₂ b ₄ +d ₂ b ₅ +d ₄ b ₁ +d ₄ b ₃ +d ₄ b ₅ +d ₄ b ₆ +d ₄ b ₇ +d ₅ b ₀ +d ₅ b ₁ +d ₅ b ₂ +d ₅ b ₄.
 13. A data encryption device configured to compute at least an inverse of an element x in Galois field GF(p^(2m)), wherein p is a prime number and m is an integer, the device comprising: a first group of logic gates being configured to compute x^(p) ^(m) ⁺¹; a second group of logic gates being configured to compute an inverse for x^(p) ^(m) ⁺¹ in GF(p^(m)), (x^(p) ^(m) ⁺¹)⁻¹; a third group of logic gates being configured to compute x^(p) ^(m) ; and a fourth group of logic gates being configured to multiply (x^(p) ^(m) ⁺¹)⁻¹ by x^(p) ^(m) , to obtain the inverse of the element x, x⁻¹.
 14. The device of claim 13, wherein each of the first, second, third, and fourth groups of logic gates consists of a combination of AND gates and XOR gates.
 15. The device of claim 13, wherein the first group of logic gates consists of XOR gates and 2-input AND gates.
 16. The device of claim 13, wherein the second group of logic gates comprises logic gates designed by a computer-aided-design tool.
 17. The device of claim 13, wherein the third group of logic gates consists of XOR gates.
 18. The device of claim 13, wherein the fourth group of logic gates consists of AND gates and XOR gates.
 19. A method of computing an inverse of an element x in Galois field GF(p^(2m)), wherein p is a prime number and m is an integer, the method comprising: computing x^(p) ^(m) ⁺¹; computing an inverse for x^(p) ^(m) ⁺¹ in GF(p^(m)), (x^(p) ^(m) ⁺¹)⁻¹; computing x^(p) ^(m) ; and multiplying (x^(p) ^(m) ⁺¹)⁻¹ by x^(p) ^(m) , to obtain the inverse of element x, x⁻¹.
 20. The method of claim 19, wherein p=2 and m=4. 